Joanne M. Flood - Wiley Practitioner's Guide to GAAS 2020

If the auditor is engaged to perform an audit of internal control over financial reporting that is integrated with the audit of financial statements, the auditor should apply the guidance in AR-C 940. (AU-C 265.04)

Source: AU-C 265.07.For definitions related to this standard, see Appendix A, “Definitions of Terms”: Deficiency in internal control, Material weakness, Significant deficiency.

The objective of the auditor is to appropriately communicate to those charged with governance and management deficiencies in internal control that the auditor has identified during the audit and that, in the auditor’s professional judgment, are of sufficient importance to merit their respective attentions.

(AU-C Section 265.06)

The auditors must determine whether, on the basis of the audit work performed, they have identified one or more deficiencies in internal control. (AU-C 265.08)

The auditor must evaluate identified control deficiencies to determine whether they are— individually or in the aggregate—significant deficiencies or material weaknesses. (See “Definitions of Terms” section earlier in this chapter for definitions of those terms.) (AU-C 265.09) When evaluating the severity of control deficiencies, the auditor should consider both the possibility and the magnitude of the misstatement that could result from the deficiency.

The magnitude of a misstatement can be impacted by such factors as the amount or transaction volume that is exposed to the deficiency. When evaluating the magnitude of a potential misstatement, the recorded amount is considered the maximum amount by which an account balance or total of transactions can be overstated. However, understatements could cause a larger misstatement. (AU-C 265.A6–.A7)

The auditor must also consider whether there is a reasonable possibility that the entity’s controls will fail to prevent, or detect and correct, a misstatement. Notice that the determination of severity of a deficiency does not depend on whether the misstatement actually occurred. (AU-C 265.A5)

Possibility of the misstatement.The possibility of a misstatement is a continuous spectrum that ranges from “remote” to “reasonably possible” to “probable.” The following diagram illustrates this range, with “probable” as somewhat less than 100% certainty and “remote” as greater than a 0% chance, while “reasonably possible” is when the chance is more than remote.

The reasonable possibility that one or more deficiencies will result in a financial statement misstatement is affected by risk factors. Risk factors include the following:

The nature of the financial statement, transaction types, account balances, disclosures, and assertions

The susceptibility of assets or liabilities to loss or fraud

The cause and frequency of the exceptions detected as a result of the deficiency

The extent of judgment required to determine amounts, as well as the level of subjectivity and complexity in these decisions

The interaction of controls with each other

The interaction of deficiencies with each other

The future consequences of the deficiency

The importance of the controls to the financial reporting process

(AU-C 265.A8)

One can evaluate whether a deficiency presents a reasonable possibility of misstatement without quantifying a specific range for the probability of occurrence. It is quite possible that the probability of a small misstatement will exceed the probability of a large misstatement. (AU-C 265.A9)

Magnitude of the misstatement.The magnitude of a misstatement also is a continuous spectrum with two key thresholds, “inconsequential” to “material,” as illustrated in the following diagram.

The combination of possibility and magnitude.The evaluation of control deficiencies requires the auditor to consider both the possibility and the magnitude of the misstatement. Combining the previous two diagrams illustrates this concept.

When a control deficiency exists, there is a chance that the internal control system will fail to either prevent or detect a misstatement. This diagram illustrates that if the possibility of the misstatement being included in the financial statements is greater than remote and the magnitude of the misstatement is greater than inconsequential, then the deficiency is at least a significant deficiency. If the magnitude of the potential misstatement is greater than material, then a material weakness exists.

The following are indicators of material weaknesses in internal controls:

Fraud by senior management, even if immaterial

Restatement of previously issued financial statements to reflect the correction of a material misstatement due to error or fraud

Identification of a material misstatement that would not have been detected and corrected by the entity’s internal controls

Ineffective oversight of financial reporting and internal controls

(AU-C 265.A11)

Significant deficiencies and material weaknesses must be communicated in writing to management and those charged with governance as a part of each audit. [AU-C 265.11–.12(a)] In this context, the appropriate level of management is one that has the responsibility and authority to take action to correct the deficiency. This is normally the CEO or CFO. For other deficiencies, it may be appropriate to communicate with personnel directly involved in the affected areas with the authority to take action. (AU-C 265.A21)

The auditor may communicate matters in writing or orally that he or she does not consider to be significant deficiencies but which nonetheless may be of benefit to the entity. If the communication is oral, it should be documented. [AU-C 265.12(b)] The auditor is not required to communicate such matters if they have been communicated by the auditor in a prior period or by others, such as internal auditors. (AU-C 265.A26)

If significant deficiencies and material weaknesses were not remediated following previous audits, this communication should repeat the description or reference the prior communications. While management may have made a conscious decision to accept the risk of a control deficiency, the auditor must still communicate the issue regardless of management’s decision. (AU-C 265.A20)

To avoid potential misunderstanding or misuse, the auditor should not issue a written communication that no significant deficiencies were identified during the audit. (AU-C 265.16) The auditor may issue a written communication that there were no material deficiencies identified. (AU-C 265.15)

Communication of internal control related matters should be made no later than 60 days following the report release date. (AU-C 265.13) However, it is best to make this communication by the report release date in order to allow those charged with governance more time to discharge their oversight responsibilities. (AU-C 265.A16) For significant issues in need of immediate correction, the auditor may choose to communicate those issues during the audit and can do so other than in writing; however, even if remediated, these issues should still be included in a written communication at the end of the audit. (AU-C 265.A17)